Security in WinNT

Aims : Meet requirements of the DoD Orange Book for the C-2 level of security "assurance" for commercial computer products.

The Structure

• Portable OS with minimal dependence on hardware features
• All computer resource - files, memory, processes (and special synchronisation primitives like semaphores) and ports are treated as objects - via Object Manager
• WinNT consists of an executive + several protected subsystems (servers) - executive atop HAL (hardware abstraction layer) and operates in kernel mode
• Security component consists of two parts : WinLogon and protected server - Local Security Authority (LSA) (both execute in user mode)
• LSA relies on the Security Accounts Manager and two executive components Object Manager and Security reference monitor to determine access privileges and obtain system resources
• Each user has a security ID and object security via access control lists (which users/groups are allowed access to what)

Authentication
Used to identify and log onto NT (via Ctrl-Alt-Del)

• Implements the Orange Book - Trusted path
  requirement to assure user that when the Secure Attention Sequence is pressed, the resulting prompt for username and password is from OS and not from a spoofing program of a malicious user
• Every user belongs to a particular group and a few special groups are built in.
• Each group has a name and a set of user rights (operations permitted)
• A user has the rights of all the groups he/she belongs to, plus any special rights granted to that user by the administrator
• Roughly two dozen user rights : define printers, add hardware (such as ethernet cards), shut down.

Auditing

User Manager controls auditing policy (i.e. keeping a record of who accesses the system and when (and possibly also from where)).

• Auditing can slow system - an overhead - use User Manager to specify level of auditing required
• Audited user actions fall into 7 categories - such as file and object access, login and logouts, exercise of user rights - where actions within each category can be audited for success or failure
• View audit records with the Events Viewer - can view system events, application events or security events - with each record containing a time-stamp
• Log also an object - and has an associated access control list - mainly for Administrators group - but also authorised user
• Possible to force system shutdown when log is full!!

Object Reuse

NT's logical objects translated to physical RAM and disk space - since these contain and recycle objects (swapping etc), it is necessary to ensure that a user does not access the remains of another user's work

• Erasing a DOS disk - DOES NOT really clear files contents (simply mark region as being unused) - FAT table analysis
• Try to prevent this with NT - when NT creates a new object - empty of data - clears previous object and assigns it zero length
• Prohibits from reading past a file's logical EOF marker
• NT clears RAM (when allocating memory) and prevents probing random locations (processes allowed to access only blocks of memory granted to them)

Network Security

Still a major topic for NT - may come to this later